GHSA-3vx3-xf6q-r5xp

Suggest an improvement
Source
https://github.com/advisories/GHSA-3vx3-xf6q-r5xp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3vx3-xf6q-r5xp
Aliases
Published
2022-05-13T01:25:13Z
Modified
2024-04-18T17:16:05.863751Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Exposure of Resource to Wrong Sphere in Apache Tomcat
Details

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

References

Affected packages

Maven / org.apache.tomcat:tomcat-catalina

Package

Name
org.apache.tomcat:tomcat-catalina
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.0.M1
Fixed
9.0.0.M18

Affected versions

9.*

9.0.0.M1
9.0.0.M3
9.0.0.M4
9.0.0.M6
9.0.0.M8
9.0.0.M9
9.0.0.M10
9.0.0.M11
9.0.0.M13
9.0.0.M15
9.0.0.M17

Database specific

{
    "last_known_affected_version_range": "<= 9.0.0.M17"
}

Maven / org.apache.tomcat:tomcat-catalina

Package

Name
org.apache.tomcat:tomcat-catalina
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.5.0
Fixed
8.5.13

Affected versions

8.*

8.5.0
8.5.2
8.5.3
8.5.4
8.5.5
8.5.6
8.5.8
8.5.9
8.5.11
8.5.12

Database specific

{
    "last_known_affected_version_range": "<= 8.5.12"
}

Maven / org.apache.tomcat:tomcat-catalina

Package

Name
org.apache.tomcat:tomcat-catalina
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0
Fixed
8.0.42

Affected versions

8.*

8.0.1
8.0.3
8.0.5
8.0.8
8.0.9
8.0.11
8.0.12
8.0.14
8.0.15
8.0.17
8.0.18
8.0.20
8.0.21
8.0.22
8.0.23
8.0.24
8.0.26
8.0.27
8.0.28
8.0.29
8.0.30
8.0.32
8.0.33
8.0.35
8.0.36
8.0.37
8.0.38
8.0.39
8.0.41

Database specific

{
    "last_known_affected_version_range": "<= 8.0.41"
}

Maven / org.apache.tomcat:tomcat-catalina

Package

Name
org.apache.tomcat:tomcat-catalina
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.76

Affected versions

7.*

7.0.0
7.0.2
7.0.4
7.0.5
7.0.6
7.0.8
7.0.11
7.0.12
7.0.14
7.0.16
7.0.19
7.0.20
7.0.21
7.0.22
7.0.23
7.0.25
7.0.26
7.0.27
7.0.28
7.0.29
7.0.30
7.0.32
7.0.33
7.0.34
7.0.35
7.0.37
7.0.39
7.0.40
7.0.41
7.0.42
7.0.47
7.0.50
7.0.52
7.0.53
7.0.54
7.0.55
7.0.56
7.0.57
7.0.59
7.0.61
7.0.62
7.0.63
7.0.64
7.0.65
7.0.67
7.0.68
7.0.69
7.0.70
7.0.72
7.0.73
7.0.75

Database specific

{
    "last_known_affected_version_range": "<= 7.0.75"
}

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name
org.apache.tomcat.embed:tomcat-embed-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.0.M1
Fixed
9.0.0.M18

Affected versions

9.*

9.0.0.M1
9.0.0.M3
9.0.0.M4
9.0.0.M6
9.0.0.M8
9.0.0.M9
9.0.0.M10
9.0.0.M11
9.0.0.M13
9.0.0.M15
9.0.0.M17

Database specific

{
    "last_known_affected_version_range": "<= 9.0.0.M17"
}

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name
org.apache.tomcat.embed:tomcat-embed-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.5.0
Fixed
8.5.13

Affected versions

8.*

8.5.0
8.5.2
8.5.3
8.5.4
8.5.5
8.5.6
8.5.8
8.5.9
8.5.11
8.5.12

Database specific

{
    "last_known_affected_version_range": "<= 8.5.12"
}

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name
org.apache.tomcat.embed:tomcat-embed-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0
Fixed
8.0.42

Affected versions

8.*

8.0.1
8.0.3
8.0.5
8.0.8
8.0.9
8.0.11
8.0.12
8.0.14
8.0.15
8.0.17
8.0.18
8.0.20
8.0.21
8.0.22
8.0.23
8.0.24
8.0.26
8.0.27
8.0.28
8.0.29
8.0.30
8.0.32
8.0.33
8.0.35
8.0.36
8.0.37
8.0.38
8.0.39
8.0.41

Database specific

{
    "last_known_affected_version_range": "<= 8.0.41"
}

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name
org.apache.tomcat.embed:tomcat-embed-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.76

Affected versions

7.*

7.0.0
7.0.2
7.0.4
7.0.5
7.0.6
7.0.8
7.0.11
7.0.12
7.0.14
7.0.16
7.0.19
7.0.20
7.0.21
7.0.22
7.0.23
7.0.25
7.0.26
7.0.27
7.0.28
7.0.29
7.0.30
7.0.32
7.0.33
7.0.34
7.0.35
7.0.37
7.0.39
7.0.40
7.0.41
7.0.42
7.0.47
7.0.50
7.0.52
7.0.53
7.0.54
7.0.55
7.0.56
7.0.57
7.0.59
7.0.61
7.0.62
7.0.63
7.0.64
7.0.65
7.0.67
7.0.68
7.0.69
7.0.70
7.0.72
7.0.73
7.0.75

Database specific

{
    "last_known_affected_version_range": "<= 7.0.75"
}